June 27, 2002 12:10 PM PDT
Microsoft paves over media player flaws
Media Player Patch
The company rates the problems as "critical"--Microsoft's most severe rating--and urges people to "immediately" download a patch, which was released Wednesday. The company said the patch would also fix previous problems with the software.
In the most severe exploit of a flaw, a hacker could take over a computer system and perform any task the computer's owner is allowed to do, such as opening files or accessing certain parts of a network.
The flaw that's rated "critical" mishandles Windows Media Player's requests for media files containing "digital rights management" software, potentially allowing attackers access to Internet Explorer's cache, the place where temporary IE files are stored. The other flaws result from how the media player software responds to storage devices and the way it stores play lists.
To fall victim to an attack of the most severe kind, a person would have to obtain a media file--through e-mail or by downloading it, for example. An attacker would then have to introduce an executable file into the person's browser cache and run it to gain access to the computer.
"It's not a straightforward, push-one-button-and-bad-things-happen type of thing. But there's a possibility a hacker could run code, and that's why we're rating it as critical," said Christopher Budd, a Microsoft security program manager.
Security holes have been a constant problem in Microsoft products, leading Chairman Bill Gates in January to promise to make security the company's top priority.